MySQL Enterprise Firewall is an application-level firewall that enables database administrators to permit or deny SQL statement execution based on matching against allowlists of accepted statement patterns. This helps harden MySQL against attacks such as SQL injection or attempts to exploit applications by using them outside of their legitimate query workload characteristics.
Each MySQL account registered with the firewall has its own statement allowlist, enabling protection to be tailored per account. For a given account, the firewall can operate in recording, protecting, or detecting mode, for training in the accepted statement patterns, active protection against unacceptable statements, or passive detection of unacceptable statements.
MySQL Enterprise Firewall installation is a one-time operation that involves running
a script located in the
share directory of
your MySQL installation.
To install MySQL Enterprise Firewall:
linux_install_firewall.sqlscript that is located in the
The installation script creates stored procedures in the default database, so choose a database to use. Then run the script as follows, naming the chosen database on the command line. This deployment uses the
shell> cd /usr/local/mysql shell> bin/mysql -u root -p mysql < /usr/local/mysql/share/linux_install_firewall.sql Enter password: (enter root password here)
To enable the firewall, enable the
mysql_firewall_modesystem variable. By default, this variable is enabled when the firewall is installed. To configure the firewall state explicitly, add it under the
[mysqld]option group in the MySQL configuration file:
Restart MySQL server to apply the new configuration settings.
shell> systemctl restart mysqld
To verify that MySQL Enterprise Firewall is enabled, connect to the server and execute this statement:
shell> cd /usr/local/mysql shell> bin/mysql -u root -p Enter password: (enter the root password here)
mysql> SHOW GLOBAL VARIABLES LIKE 'mysql_firewall_mode'; +---------------------+-------+ | Variable_name | Value | +---------------------+-------+ | mysql_firewall_mode | ON | +---------------------+-------+
MySQL Enterprise Firewall is now enabled an ready for use. For information about registering accounts with the firewall and configuring operational modes, see Using MySQL Enterprise Firewall. An example is provided that demonstrates how to register an account with the firewall, use the firewall to learn acceptable statements for the account, and protect the account against execution of unacceptable statements.